Microsoft patches 28 vulnerabilities, including zero-day
Microsoft on Tuesdau released patches for 28 vulnerabilities in numerous products. The most important ones for most users fix serious vulnerabilities in Internet Explorer, Windows and the .NET Framework.
Here is a breakdown of the bulletins and what they address.
MS13-80 (Critical): Cumulative Security Update for Internet Explorer (2879017) This is a cumulative update for Internet Explorer which addresses 10 vulnerabilities, one of which is a zero-day vulnerability in the wild for over a week. (Microsoft had provided a Fix-It as an interim measure.)
MS13-81 (Critical): Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2870008) - This update fixes 7 vulnerabilities reported by outside researchers. One could allow complete system compromise when the user views maliciously-constructed OpenType fonts, and another for TrueType fonts. The other 5 are privilege escalation bugs. All versions of Windows other than 8.1, 8.1 RT and Server 2012 R2 are affected.
Featured
MS13-82 (Critical): Vulnerabilities in .NET Framework Could Allow Remote Code Execution (2878890) — This describes 3 vulnerabilities in most versions of the .NET Framework. The one critical vulnerability is the same OpenType parsing bug in MS13-081.
MS13-83 (Critical): Vulnerability in Windows Common Control Library Could Allow Remote Code Execution (2864058) — A vulnerability in Windows can be exploited through an ASP.NET web application running on it.
MS13-84 (Important): Vulnerabilities in Microsoft SharePoint Server Could Allow Remote Code Execution (2885089)
MS13-85 (Important): Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (2885080)
MS13-86 (Important): Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (2885084)
MS13-87 (Important): Vulnerability in Silverlight Could Allow Information Disclosure (2890788)
This month marks 10 years of Patch Tuesdays.